Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

63b53532b4...60.exe

windows7-x64

5

63b53532b4...60.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    92s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/01/2024, 11:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63b53532b4267aacb2fab99033d2ea60.exe

  • Size

    720KB

  • MD5

    63b53532b4267aacb2fab99033d2ea60

  • SHA1

    f4927de1d1c3b0f8f0b41e0dd64cadc62df32023

  • SHA256

    714f11ed7d83f9cd2067675f873f43e76781fa23982832998d9813738e2e26ab

  • SHA512

    b713f3cc89cf223b149b79d47b9b51e8dd0f23558144718b07abdc5ae5c38ad61acb7bb02df8ded04af4659849961dad03df99e598ff27a06f514761045d3538

  • SSDEEP

    12288:KhISonTeU3yl7oZgmt3HsnCeZX6Wnb7+NtoTKGZruC:U01OWsnR3b7atS1

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\63b53532b4267aacb2fab99033d2ea60.exe
    "C:\Users\Admin\AppData\Local\Temp\63b53532b4267aacb2fab99033d2ea60.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1432
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bgGYPWp.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2924
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgGYPWp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA4FA.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2000
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
      2⤵
        PID:4860

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kdvfwzbp.aaw.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpA4FA.tmp
      Filesize

      1KB

      MD5

      064e01c755e1252a5ee45dfa973df78a

      SHA1

      588458aa6bcae7deaa22c71a8ce68758d56b743d

      SHA256

      9f4ebc9dc24c3a975d7b46c1db05e4e7fdaf119eb1fe836705e928ac9cd0e2c8

      SHA512

      0c67e5a9159b83260252450be5344a02fbb9928df154f51cd2ab068084cf8bb1b4e17568576d416e5ad86485adbfc19b49b027750645923aea63d9be0c01f8b2

      Download Submit

    • memory/1432-4-0x00007FF8CA8B0000-0x00007FF8CB371000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1432-13-0x00000000038C0000-0x00000000038D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1432-0-0x0000000000CD0000-0x0000000000D8A000-memory.dmp

      Filesize

      744KB

      Download

    • memory/1432-5-0x0000000003910000-0x0000000003922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1432-6-0x000000001C980000-0x000000001C990000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1432-7-0x000000001D680000-0x000000001D700000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1432-1-0x00007FF8CA8B0000-0x00007FF8CB371000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1432-3-0x000000001C8E0000-0x000000001C8FA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1432-2-0x00000000038C0000-0x00000000038D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1432-28-0x00007FF8CA8B0000-0x00007FF8CB371000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2924-25-0x00000133BD780000-0x00000133BD790000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2924-26-0x00000133D5E90000-0x00000133D5EB2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2924-24-0x00007FF8CA8B0000-0x00007FF8CB371000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2924-31-0x00007FF8CA8B0000-0x00007FF8CB371000-memory.dmp

      Filesize

      10.8MB

      Download